Re: Cisco ASA Redundant interface

casingnj2 · ‎01-18-2013

Hello,

We are looking at upgrading an aging firewall with a Cisco ASA. I have used the ASA before.

We would like to use the ASA in a colocation facility that will have a few site to site vpns. The ASA MUST be able to have redundant interfaces to our switches. Reading through ASA documentation this is possible. (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838) Can the ASA have redundant links to the same vlans? Will any of our configuration for VPN's, etc have to be setup twice?

Thanks

Karsten Iwen · ‎01-18-2013

The configuration of the redundancy is completely transparent to the configuration of other features on the ASA. So you don't have to configure anything twice.

Sent from Cisco Technical Support iPad App

Marvin Rhoads · ‎01-19-2013

There are four types of redundancy that one can use on ASAs. The first one you cited, redundant interfaces on a single physical device is the least common in my experience.

The second is failover - when the ASA is mated is a failover ASA in a high availability configuration. This is the most common usage for customers requiring high availability (HA). That is the most common implementation and has been around since ASA 7.0 software (i.e. a good many years).

The third is to bond your interfaces from a given ASA (or sets of interfaces if you have an HA pair) into an Etherchannel. This has the added advantage of giving you potentially higher trhoughput. Etherchannel support was introduced in ASA software version 8.4(1).

The fourth and newest method is clustering. It was introduced just last fall in ASA 9.0 and is not very widely adopted just yet. It is primarily for high throughput requirements exceeding a single device's capacity but also gives the added benefit of redundancy.

None of them require you setup things twice configuration-wise. Some file operations (software upgrade, certificate management, VPN profiles (XML files)) need to be copied onto both members in a failover pair or all members in a cluster scenario.

Edit - there is a fifth type specific to VPNs whereby one can configure a secondary VPN gateway for clients, usually at a alternate site. That approach does require settting up everything separately on the ASAs.

Karsten Iwen · ‎01-20-2013

Hi Marvin,

to have a really complete list of redundancy-features, the VPN-Cluster should also be mentioned. That feature came from the VPN 3000 concentrator and is also available from the first ASA version on. It's purpose was to scale Remote-Access-VPN to a higher user-count and give availability if VPN-gateways fail. Contrary to the other features, all members had to be configured independently.

An to add to the new cluster introduced in v9.0: That feature is only for the 5585-X.

Sent from Cisco Technical Support iPad App

Marvin Rhoads · ‎01-20-2013

Ah yes Karsten - I forgot about the VPN clustering. I've not setup one of those yet. Thanks for adding that one to the list.

I think I see the outline of a useful blog post in this.

Karsten Iwen · ‎01-20-2013

> I think I see the outline of a useful blog post in this.

We look forward to read that ... ;-)

Sent from Cisco Technical Support iPad App